Embedded credentials, also often referred to as hardcoded credentials, are plain text credentials in source code. Password/credential hardcoding refers to the practice of embedding plain text (non-encrypted) credentials (account passwords, SSH Keys, DevOps secrets, etc.) into source code.
However, the practice of hardcoding credentials is increasingly discouraged as it poses formidable security risks that are routinely exploited by malware and hackers. In some cases, a threat actor (perhaps aligned with a nation-state) may insert hardcoded credentials to create a backdoor, allowing them persistent access to a device, application, or system.
This blog aims to provide an overview of embedded/credentials and will cover where they are commonly found, how hardcoded credentials are used, the risks they pose, the challenges of managing them, and four best practices for addressing embedded credentials across your enterprise.
How are Embedded Passwords Used and Where are they Found?
Manufacturers and software companies commonly hardcode passwords into hardware, firmware, software, IoT and other devices, scripts, applications, and systems because it helps to simplify deployments at scale. Developers and other users may also embed credentials into code, for easy access as part of their workflow.
Proponents of hardcoding credentials also claim it provides an extra layer of assurance so that unsophisticated users cannot tamper with the code or product.
Passwords are commonly embedded in:
- Software applications, both locally installed and cloud-based
- BIOS and other firmware across computers, mobile devices, servers, printers, etc.
- Internet of Things (IoT) devices and medical devices
- DevOps tools
- Network switches, routers, and other control systems (SCADA, etc.)
Embedded passwords are routinely used for:
- Setting up new systems
- API and other system integrations
- Encryption and decryption keys
- Privileged and superuser access
- Application-to-Application (a2a) and Application-to-Database communications
Why are Embedded/Hardcoded Credentials Risky?
Hardcoded credentials are favored targets for password guessing attacks, allowing hackers and malware to hijack firmware, devices (such as health monitoring equipment), systems, and software.
Often, the same hardcoded credential, or a limited number of them, are used across all applications (many that require elevated privileges to function) or devices produced by a manufacturer/software development company within a particular series, release, or model. So, once a hacker knows the default password, they can potentially compromise all similar devices or application instances. This kind of exploit has resulted in some massive cyberattacks that have caused massive security breaches, worldwide outages, and even jeopardized critical infrastructure.
Moreover, developers and other IT personnel frequently embed passwords in code for easy access when they need it. However, sometimes these passwords are forgotten and remain embedded plain text in code. Sometimes the code is even published (such as to GitHub) with the plain text password easily discoverable by anyone with widely available scanning tools. This is apparently what happened with the Uber breach that exposed information of 57 million customers, plus roughly 600,000 drivers. An Uber employee published plaintext credentials within source code. This code was, at some point, inadvertently posted on Github, a popular repository used by developers. It likely did not take much technical chops for a watchful hacker to notice the embedded credentials on GitHub, then use them to gain privileged access on Uber’s Amazon AWS Instances.
Hardcoding not only presents a cyber risk for the specific device, firmware, application, etc. itself, but also to other components of the connected IT ecosystem. Additionally, innocent third-parties can be impacted by hardcoding negligence as they could be assailed by DDOS attacks from botnets of devices enslaved via a hardcoded credential compromise. This is exactly what happened with the Mirai malware, which rose to prominence in late 2016 (though, in all likelihood, it was active years earlier).
Mirai scans the Telnet service on Linux-based IoT boxes with Busybox (such as DVRs and WebIP Cameras), and on unattended Linux servers. Through a brute force attack it then applies a table of 61 known hardcoded default usernames and passwords to attempt login. Mirai, and its variants, were used to assemble enormous botnets of IoT devices, up to about 400,000 connected devices, unbeknownst to most of their owners. Mirai-related botnets waged some of the most disruptive DDOS attacks to date. Victims of the Mirai IoT botnet included French Telecom, Krebs on Security, Dyn, Deutsche Telecom, Russian banks, and the country of Liberia—all of which suffered significant downtime as a result of the DDOS onslaught.
Additionally, DevOps tools often have secrets embedded in scripts or files, which potentially jeopardizes security for the entire automation process. Thus, gaining control of embedded passwords and keys is an essential requirement for secrets management and DevOps security.
Key Challenges to Managing & Securing Embedded Passwords
Operational Risk: Hardcoded credentials are often created with the intention that they never be changed—despite the risk that stale passwords present. Thus, admins may feel wary about trying to change certain types of embedded passwords for fear of breaking something in the system, and potentially disrupting company operations.
Limited visibility and awareness: A mid-sized organization may have hundreds of thousands—even millions—of passwords, keys, and other secrets sprawled across devices, applications, and systems. Some of this likely includes shadow IT, which is even further shrouded from IT’s line of sight. Understanding where all of an organization’s embedded passwords exist can present a daunting undertaking—especially without the right tools for the task. Gaining visibility into all the embedded/hardcoded credentials will require a comprehensive audit and discovery process. As a corporate IT policy, you should also always review vendor documentation about hardcoded and default passwords, so you can immediately plan remediation as part of the deployment.
Inadequate tools: Unfortunately, there is no viable manual way to detect or centrally manage passwords stored within applications or scripts. Securing embedded credentials hinges on first separating the password from the code, so that when it’s not in use, it’s secured in a centralized password safe, as opposed to being constantly exposed in plain text.
Some IT security vendors offer privileged password management solutions that are able to continually discover hardcoded and default passwords and bring them under management, including enforcing password rotation and other best practices.
4 Ways to Mitigate the Risks of Embedded Passwords
If you want to reduce your exposure to embedded passwords, there are a few steps you can take:
- Bring application passwords under management: Introduce a third-party privileged password management or application password management solution that uncovers default and hardcoded credentials across the enterprise, and forces applications, scripts, etc. to call (or request) the use of the password from a centralized password safe. Once the credentials are under management, the tool can enforce password security best practices, including password rotation, password length and uniqueness, to dramatically reduce cyber risk.
- Refuse to buy software or hardware that includes hardcoded credentials: Refusing to buy software and hardware with hardcoded password vulnerabilities helps put pressure on vendors to eliminate this poor security practice. California has taken a step in this direction by passing a law that bans default passwords in consumer devices, starting in 2020. Take this a harbinger of more regulations targeting embedded and default authentication credentials to come.
- Vulnerability management: Software and product vendors periodically release patches to address flaws, such as with hardcoded passwords. If you have a thorough vulnerability scanning and patch management process in place, you can expeditiously resolve these issues once they are identified and a patch is available.
- Perform Pen Testing: For organizations with the most stringent of security environments, hiring outside pen testers to poke and prod for vulnerabilities, such as hardcoded and default credentials, provides an extra measure of proactive cyber defense.
BeyondTrust helps thousands of organizations eliminate embedded credentials of all kinds, and bring them under management. Contact us to learn more, or to get a personalized demo.
Matt Miller, Director, Content Marketing & SEO
Matt Miller is Director, Content Marketing at BeyondTrust. Prior to BeyondTrust, he developed and executed marketing strategies on cybersecurity, cloud technologies, and data governance in roles at Accelerite (a business unit of Persistent Systems), WatchGuard Technologies, and Microsoft. Earlier in his career Matt held various roles in IR, marketing, and corporate communications in the biotech / biopharmaceutical industry. His experience and interests traverse cybersecurity, cloud / virtualization, IoT, economics, information governance, and risk management. He is also an avid homebrewer (working toward his Black Belt in beer) and writer.